On Tuesday, May 4, 2004, 3:49:06 AM, David Hooton wrote:
On Tuesday, May 4, 2004, 2:48:17 AM, David Hooton wrote:
Jeff Chan wrote:
- Merge into ws: probably no specific code for phishing
- Merge into combined list: could have a separate code
2a. (With no separate list for phishing if it's small.)
I personally think 2 is the preferred option as it provides domain & netblock owners with a possible means of becoming unlisted. Further
helping
us remove false positives and mopped up incidents as soon as we can.
The concept being a custom reponse (txt record) would facilitate the person whose mail is altered knows why - ie. phishing not Spam.
Aha, you were more concerned about a specific reason (i.e. phishing) being presented. I misunderstood. That would probably be better if I did the combining.
That said, processing things here automatically may be a bit quicker than going through Bill's more manual procedure. Maybe I should assume we will do the merging here.
Also I'm somewhat concerned about "netblocks" going to SURBLs
I understand this, and as the listing policy states we are only planning on listing individual IP addresses and domains that are included in phishing attacks.
No pre-emptive blocking will be conducted on IP ranges.
Sounds good.
I think where the confusion has come in is that I have referred to allowing "Netblock Owners" ie. people who own the IP space to request removal of their individual IP addresses from the SURBL once the IP has been mopped up.
Got it. I read that as discussing input data for the list as opposed to describing resulting actions taken to get off the list.
There is a much higher incidence of IP based urls in phishing attacks than in general spam, due in part to the majority of attacks being built on stolen bandwidth and on hacked/trojaned servers.
Thanks for the added background. Multiple, individual IP-based URIs scattered around the Internet would work fine as a SURBL.
I can't see it hitting much more than 1500 records at any one time. This is mainly due to the fact that we're planning on running an expiry process as outlined on the policy page & because we hope to provide a means of notification & removal for ISP's and machine owners.
OK good to know.
I have not seen the same IP address used more than once and have only seen individual domains used for around a week or two in phishes. I think the self expiring model is probably a wise approach due to this.
Yes, that sounds very appropriate to the data.
Jeff C.